IT Security Policies, Procedures and Guidance

NASA Policy Directives (NPD) and NASA Procedural Requirements (NPR)

Document Subject Effective Date
NPR 1382.1 NASA Privacy Procedural Requirements August 10, 2007
NPD 1382.17G NASA Privacy Policy August 24, 2004
NPD 1440.6H NASA Records Management March 24, 2008
NPR 1441.1D NASA Records Retention Schedules (w/Change 4, 1/31/08) February 24, 2003
NPD 2540.1F Personal Use of Government Office Equipment Including May 25, 2005
Information Technology
NPD 2800.1B Managing Information Technology March 21, 2008
NPR 2800.1 Managing Information Technology w/Change 1, 9/17/04 September 17, 1998
NPD 2810.1C NASA Information Security Policy April 7, 2004
NPR 2810.1A Security of Information Technology May 16, 2006
NPD 2830.1 NASA Enterprise Architecture December 16, 2005
NPR 2830.1 NASA Enterprise Architecture Procedures February 9, 2006
NPR 7120.7 NASA Information Technology and Institutional Infrastructure November 3, 2008
Program and Project Management Requirements

NASA Interim Directives (NID)

Document Subject Effective Date
NM2810-64 NASA Interim Directive: Information Technology Security and May 22, 2008
Efficiency Requirements

NASA Interim Technical Requirements (NITR)

Document Subject Effective Date
NITR 2810_22 Media Protection Policy and Procedures January 7, 2009
NITR 2830_1 Networks in NASA Internet Protocol (IP) Space or NASA Physical January 5, 2009
Space
NITR 2810_17 System Maintenance Policy and Procedures November 12, 2008
NITR 2810_19 Audit and Accountability Policy and Procedures November 12, 2008
NITR 2810_14 Managing Elevated User Privileges on NASA Desktop and Laptop September 11, 2008
Computers
NITR 2810_15 Contingency Planning June 9, 2008
NITR 2810_12 Continuous Monitoring May 18, 2008
NITR 1382_2 NASA Rules and Consequences to Safeguarding PII, with Change January 30, 2008
1, dated 02/04/2008
NITR 1382_1 Personally Identifiable Information (PII) Breach Response Policy December 21, 2007

Information Technology Security Standard Operating Procedures (ITS SOP)

Document Subject Effective Date
ITS-SOP 0002 NASA's Target Vulnerability Selection Procedures June 1, 2003
ITS-SOP 0003 NASA's IT Security Emergency After-Hours Test Procedures November 1, 2002
ITS-SOP NASA's Information Technology Requirement (NITR) Procedures September 29, 2008
0004.A
ITS-SOP Procedure for completing a NASA IT Security Program or System June 19, 2007
0005.B Assessment
ITS-SOP Extending an IT System Authorization To Operate March 3, 2007
0006.C
ITS-SOP System Security Plan Numbering Schema April 17, 2008
0007.B
ITS-SOP 0008 Procedure for Initiating and Managing Targeted Monitoring of March 3, 2006
electronic Data (being updated)
ITS-SOP 0009 Procedure for Updating and Managing NASA's Plan of Action and February 6, 2007
Milestones (POA&M)
ITS-SOP Patch Selection and Reporting Procedures (being updated) July 20, 2007
0012.B
ITS-SOP 0014 Procedure for approving Changes to NASA's Information April 18, 2006
Technology Baseline
ITS-SOP 0015 Agency IT Security Incident Classification and Reporting October 5, 2005
ITS-SOP IT Security Plan Template, Requirements, Guidance and Examples April 17, 2008
0016.C
ITS-SOP 0017 IT Security Penetration Test Plan and Rules of Engagement October 5, 2005
ITS-SOP 0018 Contract IT Security Program Plan Procedure October 5, 2005
ITS-SOP Procedure for the FIPS-199 Categorization of Information Systems July 11, 2006
0019.B
ITS-SOP 0020 Wireless Local Area Network Implementation October 05, 2005
ITS-SOP 0021 Network Security Vulnerability Scanning (new memo released on October 5, 2005
2/6/09)
ITS-SOP Determining Cost Impact of Information Technology Security October 18, 2007
0022.A Incidents
ITS-SOP IT System Certification & Accreditation Process for FIPS 199 July 7, 2008
0030.C Moderate & High Systems
ITS-SOP IT System Certification & Accreditation Process for FIPS 199 Low July 7, 2008
0031.C Systems
ITS-SOP 0032 Master IT Security Plan Template, requirements, Guidance and July 11, 2006
Examples
ITS-SOP 0033 External System Identification and IT Security Requirements July 19, 2007
ITS-SOP 0035 Digital Media Sanitization September 15, 2008
ITS-SOP 0040 Contingency Planning July 7, 2008
ITS-SOP 0043 Procedure for Selecting and tailoring NIST SP 800-53 Common June 6, 2007
Security Controls
ITS-SOP 0044 Procedure for Responding to a Breach of PII December 21, 2007
ITS-SOP 0046 Review and Reducing PII December 21, 2007
Standards
Document Subject Effective Date
EA-STD Standard for Integrating Applications into the NASA Access Aug 01, 2008
0001.0 Management, Authentication, and Authorization Infrastructure
EA-SOP Procedures for Submitting a NASA Agency Forest (NAF) Aug 01, 2008
0003.0 Deviation Request and Transition Plan
EA-SOP Procedures for Submitting an Application Integration Deviation Aug 01, 2008
0004.0 Request and Transition Plan
NASA-STD- MINIMUM INTEROPERABILITY SOFTWARE SUITE June 24, 2008
2804L
NASA-STD- MINIMUM HARDWARE CONFIGURATIONS June 24, 2008
2805L

Memoranda
From To
Deputy CIO for IT Center CIOs, Center
Security ITSMs
Chief Information Officials-in-Charge of
Officer Headquarters Offices,
NASA Center Directors
Senior Agency Center CIOs, Mission
Information Security Directorate CIOs, Center
Officer ITSMs
Chief Information All NASA Civil Service and
Officer Contractor Employees
Deputy CIO for IT Center CIOs
Security
Chief Information Memorandum for Record
Officer
Deputy CIO for IT Center ITSMs, Center
Security CAOs
Senior Agency Official Official-in-Charge of
for Privacy Headquarters Offices,
NASA Center Directors
Chief Information Center CIOs
Officer
Chief Information NASA CIOs, Mission
Officer Directorate CIOs, Center
ITSMs, Center Human
Resources Directors,
IEMP
Chief Information NASA CIOs, Mission
Officer Directorate CIOs, Center
ITSMs, Center ITSMs,
Center Human Resources
Directors, IEMP
Deputy CIO for IT Center ITSMs
Security
Deputy CIO for IT Center CIOs, Center
Security ITSMs, Center Training
Officers
Deputy CIO for IT Center CIOs, Center
Security ITSMs
Deputy CIO for IT Center CIOs, Center
Security ITSMs
Subject Effective
Date
FY 2009 Scanning and Vulnerability 2/06/2009
Elimination or Mitigation
Personally Identifiable Information (PII) 1/14/2009
Incident Reporting
Agency Organization-Defined Information 12/19/2008
Technology Security Controls
Policy for Use of Removable Media, Such 11/21/2008
as USB Thumb Drives
NASA Security Operations Center 10/29/2008
Operations and NASIRC Transition
Information Technology Management 10/8/2008
Board Decisions Regarding NCI Firewall
Settings and SharePoint 2007 Pilots
Certification and Accreditation Direction 9/17/2008
for FY09
Personally Identifiable Information (PII) 9/8/2008
Responsibilities Statement
Deployment of the Software Refresh 7/30/2008
Portal
Requirement to Log and Verify Sensitive 6/9/2008
Data Extracts
Remote Access to Personally Identifiable 6/9/2008
Information (PII)
Clarification on Requirement for 6/6/2008
Contractors to Complete NASA Annual IT
Security Awareness Training
Decision to Disallow Substitutions for 2/21/2008
Basic and Managers Information
Technology Security Awareness Training
System Security Documentation in RMS 2/20/2008
Supplemental FY08 Guidance for Agency 2/20/2008
Security Configurations Standards and
 FDCC Reporting
Chief Information Center CIOs, Deputy Information Discovery 2/4/2008
Officer CIOs
Deputy CIO for IT Center CIOs, Center Decision to Cancel Procurement 1/16/2008
Security ITSMs Information Circular (PIC) 04-03 (System
Administrator Certification Program)
Chief Information Official-in-Charge of Release of NPD 2200.1A, Management of 12/18/2007
Officer Headquarters Offices, NASA Scientific and Technical Information
NASA Center Directors
Chief Information Center CIOs, Mission Data at Rest Freeze 11/15/2007
Officer Directorate CIOs
Deputy CIO for IT Center CIOs, Mission Agency Security Configuration Standards: 11/15/2007
Security Directorate CIOs Federal Desktop Core Configurations
Chief Information Center Chief Information Designation of FIPS-199 Impact Level for 7/10/2007
Officer Officers NASA's OAIT Voice Systems
Chief Information Center Chief Information
Officer Officers Designation of FIPS-199 Impact Level for 7/10/2007
NASA OAIT Data Center Systems
Chief Information Center Chief Information Designation of FIPS-199 Impact Level for 7/10/2007
Officer Officers NASA OAIT LANs
Chief Information Center CIOs, Mission FY 2007 and FY 2008 Patch Management 4/4/2007
Officer (Acting) Directorate CIOs, Center and Security Configuration Metrics
ITSMs
Chief Information Center CIOs, Mission Meeting OMB Memoranda M-06-015 10/17/2006
Officer (Acting) Directorate CIOs “Safeguarding Personally Identifiable
Information;” M-06-016 “Protection of
Sensitive Agency Information,” and M-06-
019 “Reporting Incidents Involving
Personally Identifiable Information and
Incorporating the Cost for Security in
Agency Information Technology
Investments”
Deputy Administrator Administrator/Official-in- Meeting NASA Information Technology 7/26/2006
Charge of Headquarters Security Requirements
Offices, NASA Center
Directors
Deputy CIO for IT Center CIOs Designation of FIPS-199 Impact Level for 04/16/06
Security NASA OAIT Desktop Systems
Chief Information Official-in-Charge of Policy Governing NASA's Publicly 3/16/2006
Officer, Chief of Headquarters Offices, Accessible Web sites
Strategic NASA Center Directors,
Communications Center CIOs, Mission
Directorate CIOs
Chief Information Center CIOs Review and Approval of Changes to IT 1/31/2006
Officer Baseline
Chief Information Center CIOs Update of NASA Web site Linking Policy 12/15/2005
Officer, Assistant
Administrator of
Public Affairs
Chief Information Center CIOs Update of NASA Web site Privacy Policy 11/28/2005
Officer